If you believe you've found a security issue in the addy.io product or service, I encourage you to notify me. I welcome working with you to resolve the issue promptly. Thanks in advance!
- Let me know as soon as possible upon discovery of a potential security issue, and I'll make every effort to quickly resolve the issue.
- Provide me with a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. I may publicly disclose the issue before resolving it, if appropriate.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the service. Only interact with accounts you own or with explicit permission of the account holder.
- If you would like to encrypt your report, please use the PGP key with fingerprint
E652C2DB43859328F35575DEBF7B93C6497510D0
(available on the openpgp.org keyserver).
To report a vulnerability please send an email to contact (at) help.addy.io, you can use the PGP key above if you wish to encrypt it.
- Security issues in any current release of addy.io. This includes the web application, browser extension, and landing page. Source code is available at https://github.com/anonaddy.
The following bug classes are out-of scope:
- Bugs that are already reported on any of addy.io's issue trackers (https://github.com/anonaddy), or that I already know of.
- Attacks requiring physical access to a user's device.
- Self-XSS
- Issues related to software or protocols not under addy.io's control
- Vulnerabilities in outdated versions of addy.io
- Missing security best practices that do not directly lead to a vulnerability
- Issues that do not have any impact on the general public
While researching, I'd like to ask you to refrain from:
- Denial of service
- Spamming
- Social engineering (including phishing) of addy.io emails
- Any physical attempts against addy.io property or data centers
Thank you for helping keep addy.io and its users safe!